Russian tech giant Yandex source code leaked

According to foreign media reports, a source code leak occurred at Yandex, one of Russia's largest IT technology companies.

Almost all Yandex source code leaked

A former employee allegedly leaked a Yandex source code repository that revealed 1,922 ranking factors that Yandex uses in its search algorithm.

Currently, the leaked Yandex source code repository has been uploaded to a popularhackerLeaked as a BT torrent on the forum.

On January 26, the leaker posted a magnet link claiming to be "Yandex git sources" containing 44.7 GB of files stolen from the company in July 2022. The code repositories allegedly contain the company's anti-spam All source code outside the rules.

Software engineer Arseniy Shestakov analyzed the leaked Yandex Git repository and said it contained technical data and code about the following products:

Yandex search engine and indexing bot
Yandex Maps
Alice (AI assistant)
Yandex Taxi
Yandex Direct (ads service)
Yandex Mail
Yandex Disk (cloud storage service)
Yandex Market
Yandex Travel (travel booking platform)
Yandex360 (workspaces service)
Yandex Cloud
Yandex Pay (payment processing service)
Yandex Metrika (internet analytics) Shestakov also shared a directory listing of the leaked files on GitHub for those who want to see which source code was stolen. "There are at least some API keys, but they were probably only used for test deployments," Shestakov said of the leaked data.

Yandex denies hack, blames source code leak on former employee

In a statement to Bleeping Computer, Yandex said their systems were not hacked and that a former employee leaked the source code repository.

“Yandex was not hacked. Oursecurity servicesA code snippet was discovered from an internal repository in the public domain, but the content differs from the current version of the repository used in the Yandex service.

Repositories are tools for storing and using code. Most companies use code internally this way. The purpose of a code repository is to process code, not to store personal user data. We are conducting an internal investigation into the reasons for releasing the source code snippet to the public, but we are not aware of any threat to user data or platform performance. ” - Yandex.

Increase risk of hacker exposure

Commenting on the leak to BleepingComputer, Grigory Bakunov, former senior system administrator, deputy head of development and director of communications technology at Yandex, said he was very familiar with the leaked code, having worked at the tech giant from 2002 to 2019.

Bakunov believes that,data breachThe motivation was political and the "rogue" Yandex employee who caused the data breach was not trying to sell the code to a competitor.

The former executive added that the leak did not include any customer data and therefore did not pose a direct risk to the privacy or security of Yandex users, nor did it directly threaten and leak proprietary technology.

"Yandex uses a single storage structure called 'Arcadia', but not all of the company's services use it. Additionally, even just building a service requires a lot of internal tools and expertise, as standard build procedures don't apply. Leaked storage The library only contains the code; the other important part is the data. Key parts like the model weights of the neural network are missing, so are of little use. Still, there are a lot of 'interesting' files with names like "blacklist.txt" that might Expose running services."

However, Bakunov also reminded that the leaked code makes it possible for hackers to identify security vulnerabilities and implement targeted exploits. Now, it's just a matter of time.

The former executive also commented on Yandex's statement, saying that the leaked code may not be the same as the current code used in the company's work service, but the similarity may be as high as 90%. Therefore, after a thorough examination of the leaked code, malicious hackers are likely to find exploitable gaps in the Yandex system.